[Hack]in(sight) Vol.2 No.3

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws.

Inside the publications you will find 5 technical articles:

Page 5: Advanced Cross Site Scripting Attack
​Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to "Denial of Service", and potential "auto-attacking" of hosts if a user simply reads a post on a message board.

Page 32: Securing Web Applications Before Deployment
An analysis focused on various framework used to deploy web applications.

Page 42: Attacking the Honeywell Falcon XLWeb
The Honeywell Falcon (XLWeb Linux/Webserver) contains a vulnerability which allows anyone, even without knowing the username or password, to log in as an administrator in the system.This article explains an exotic vulnerability in a rather exotic system, an authentication bypass vulnerability into a SCADA controller. Although this information has been available a few months after it was disclosed by the ISC CERT to member organizations, there are multiple unpatched systems that remain exposed to the Internet.

Page 53: XSS Prevention Cheat Sheet
This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. This article does not explore the technical or business impact of XSS. Suffice it to say that it can lead to an attacker gaining the ability to do anything a victim can do through their browser.

Page 68: How to get started in Application Security
Making application security accessible and actionable to all developers is a key part of OWASP's mission. Application security is needed in all ranks of developers, particularly computer science students who typically receive little or no training about secure coding techniques. The whole series of OWASP Cheat Sheets is a great way to dig into appsec.